Nov 05 2020 12:00 PM
I was reading about a ransomware strain that deletes any folder called "System Volume Information" in an effort to prevent recovery, so I went to setup a hunting query or detection for that event. But I combed through the schema -- and a machine timeline after deleting some folders -- but I don't see a way to detect folder (or file) deletion events. Am I missing something?
Nov 07 2020 06:41 AM
Nov 30 2020 04:59 PM
@Thijs Lecomte I've looked through the schema and scoured existing events but can't find anything. While I respect the power of Sysmon, I'm not at an organization with the resources to realistically collect sysmon logs from every endpoint.
Dec 05 2020 06:59 AM